RE: Neural Net based Host/Application Anomaly detection systems

From: Bob Walder (bwalder@nss.co.uk)
Date: 02/19/02


From: "Bob Walder" <bwalder@nss.co.uk>
To: "'Scott Nursten'" <scottn@s2s.ltd.uk>, "'husmousa'" <husmousa@aucegypt.edu>, <focus-ids@securityfocus.com>
Date: Tue, 19 Feb 2002 08:45:08 -0000

Interesting....

However, whilst I don't want to piss on anyone's bonfire here (US
trans="rain on anyone's parade" ;o) is that not similar - or at least part
of - what the likes of Okena and Entercept do (I know Okena does LOTS
more...)? Any key differences/similarities you would like to share?

Of course, even if it is the same functionality, an open source version
would be more than welcome.... more power to ya.

Regards,

Bob

-----Original Message-----
From: Scott Nursten [mailto:scottn@s2s.ltd.uk]
Sent: 18 February 2002 18:57
To: husmousa; focus-ids@securityfocus.com
Subject: Re: Neural Net based Host/Application Anomaly detection systems

Working on security systems always involves using multi-layered approaches.
I can see this becoming a widely accepted product if it delivers what is
promised. I can also see it helping in certain non-invasive attempts to
exploit/overflow server-side code (ie. when a script kiddie does a

GET /index.jsp?blah=aaaaaaaaaaaaaaaa x (50000)
)

...as that might not trigger a standard NIDS signature but seems likely to
show up on your system. It also helps to have some feedback AFTER the
application has done the necessary translations (ie. Unicode etc) but I'm
not sure whether or not your product does that.

All in all, I'd say it's a good idea...! Where do we get the beta (alpha?)?
:)

Regards,

Scott Nursten

On 17/2/02 7:41 pm, "husmousa" <husmousa@aucegypt.edu> wrote:

> Hi All,
>
> as part of a 1 year graduation project we ( a team of 4 CSCI graduates)
> developed an application based anomaly detection system. By application
based
> I mean we focused on securing certain applications (in our case Apache and
pro
> ftp). The reason we choose this approach was due to the analysis mode we
used.
> Our analysis engine was based on a neural network which simply tries to
> "categorize" access requests in clusters. These clusters have been
previoiusly
> trained using lots and lots of log entries that have been grouped into
> categories (for example, normal, buffer overflow, cgi abuse, ... ).
>
> So far nothing new. the promise of this system though is that it has
potential
> to detect previously unseen attacks. In fact in our limited lab tests we
have
> isolated some logs and used them later to test our system (without being
> previously used in training). This can approximately mimic the real world
case
> of new and modified attacks being used against IDS systems that can only
> detect known threats. Our initial results were impressive.
>
> Of course our system will never ever ever replace traditional
signature/rule
> based IDS systems (such as snort, realsecure, etc...) but it can
effectively
> add a good 10-20% of coverage power specifically against brand new
attacks.
>
> I was deliberating on our next step. I wasn't so sure about how widely
would
> such a product be accepted if offered as an open source standalone (or
> possibly as a plugin to SNORT).
> we still need to do some work on "commercializing" it basicly doing some
more
> training and resolving some performance issues.
>
> I hope I can generate alot of feedback, thoughts, ideas, advice, ten
cents,
> two cents about this project
>
> thanks
>

--



Relevant Pages

  • Survey on Supercomputer Cluster Security
    ... securing supercomputer clusters. ... supercomputer clusters, and the extent to which security measures are ... How sophisticated are the attacks against your clusters compared to ...
    (comp.unix.admin)
  • Survey on Supercomputer Cluster Security
    ... securing supercomputer clusters. ... supercomputer clusters, and the extent to which security measures are ... How sophisticated are the attacks against your clusters compared to ...
    (comp.os.linux.security)
  • Survey on Supercomputer Cluster Security
    ... securing supercomputer clusters. ... supercomputer clusters, and the extent to which security measures are ... How sophisticated are the attacks against your clusters compared to ...
    (comp.parallel.mpi)
  • Survey on Supercomputer Cluster Security
    ... securing supercomputer clusters. ... supercomputer clusters, and the extent to which security measures are ... How sophisticated are the attacks against your clusters compared to ...
    (comp.sys.super)
  • Survey on Supercomputer Cluster Security
    ... securing supercomputer clusters. ... supercomputer clusters, and the extent to which security measures are ... How sophisticated are the attacks against your clusters compared to ...
    (comp.distributed)